The security issue in the login form of the jet form builder plugin

[79ho3ein]

Hi crocoblock team,

I have created a login form using jet form builder. This form has a username field and a password field. The problem is that if one of these two fields is entered incorrectly by the user, the error that is displayed will tell the person (who can be an attacker) which one of the fields is entered correctly and which one is wrong! For example, I entered the username correctly, but entered the password incorrectly. See the following error :

Error: The password you entered for the username crocoblock2024 is incorrect. Lost your password?

Please add this option so we can customize the error text. For example: username or password is wrong.

This simple thing will improve the security of the login form.

Is there a quick fix (code) for that?

thank you

[Crocoblock]

Hi @79ho3ein.

This is not an error because it is the error text that WP returns, so it is displayed in the form

if you want to change the error text, you can use the action wp_login_failed

add_action(
    'wp_login_failed',
    function ( $username, $wp_error ) {
    //Change error text when incorrect password
        if( isset( $wp_error->errors['incorrect_password'] ) ){
            $wp_error->remove( 'incorrect_password' );
            $wp_error->add( 'incorrect_password', 'Your password is incorrect' );
        }

    //Change error text when invalid username
        if( isset( $wp_error->errors['invalid_username'] ) ){
            $wp_error->remove( 'invalid_username' );
            $wp_error->add( 'invalid_username', 'Your login is incorrect' );
        }

    //Change error text when invalid email
        if( isset( $wp_error->errors['invalid_email'] ) ){
            $wp_error->remove( 'invalid_email' );
            $wp_error->add( 'invalid_email', 'Your email is wrong!' );
        }
    }, 10, 2
);

[79ho3ein]

Great, thank you @Crocoblock